NIST 800-53 r5 · Controls catalogue · Family SR
SR-8Notification Agreements
Establish agreements and procedures with entities involved in the supply chain for the system, system component, or system service for the {{ insert: param, sr-08_odp.01 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (4)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 254 | Agreements establish channels for suppliers to report integrity or compromise issues in included third-party functionality, shrinking the window for exploitation. |
CWE-494 | Download of Code Without Integrity Check | 242 | Suppliers can be contractually required to notify of integrity failures or required updates for delivered code, improving detection of tampering. |
CWE-506 | Embedded Malicious Code | 80 | Notification agreements enable suppliers to alert acquirers to discovered or suspected embedded malicious code, directly supporting detection and response. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Notification procedures can mandate alerts when third-party components reach end-of-life or lose support, reducing prolonged use of vulnerable components. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||